People Intelligence

Reconnaissance

People intelligence reveals the human element of your target organization. Understanding employees, their roles, social media presence, and digital footprint is crucial for social engineering campaigns.

Privacy & Ethics

People OSINT must be conducted ethically and within legal boundaries. Never access private accounts, stalk individuals, or collect information outside the scope of your authorized engagement.

Tool Installation

Sherlock

Username
Docs

Hunt down social media accounts by username across 400+ sites.

Installation

bash 
pip install sherlock-project

Maigret

Username
Docs

Collect person's data from thousands of sites (Sherlock fork).

Installation

bash 
pip install maigret

Social-Analyzer

Social
Docs

API and CLI for analyzing social media profiles.

Installation

bash 
pip install social-analyzer

GHunt

Google
Docs

Investigate Google accounts using email addresses.

Installation

bash 
pip install ghunt

Holehe

Email
Docs

Check if an email is registered on different sites.

Installation

bash 
pip install holehe

WhatsMyName

Username
Docs

Username enumeration across many platforms.

Installation

bash 
git clone https://github.com/WebBreacher/WhatsMyName.git

Username Enumeration

username-osint.sh
bash 
# Sherlock - most popular username search
sherlock username
sherlock username --timeout 10
sherlock username --print-found  # Only show found accounts
sherlock username -o results.txt

# Search multiple usernames
sherlock username1 username2 username3

# Maigret - enhanced Sherlock alternative
maigret username
maigret username --all-sites  # Check all 2500+ sites
maigret username --html report.html
maigret username --pdf report.pdf

# Social-Analyzer
social-analyzer --username username --metadata
social-analyzer --username username --websites instagram,twitter,linkedin

# WhatsMyName web check
python web_accounts_list_checker.py -u username

# Namechk (online)
# https://namechk.com - visual username checker

# Instant Username (online)
# https://instantusername.com - real-time availability

LinkedIn Intelligence

linkedin-osint.sh
bash 
# CrossLinked - LinkedIn employee enumeration
crosslinked -f '{first}.{last}@target.com' "Target Company"
crosslinked -f '{f}{last}@target.com' "Target Company" --safe

# linkedin2username - requires LinkedIn cookies
python linkedin2username.py -c "Target Company" -n 500

# Google Dorks for LinkedIn
site:linkedin.com/in "target company"
site:linkedin.com "security engineer" "target company"
site:linkedin.com "CISO" OR "Chief Information Security" "target company"
site:linkedin.com "target company" "email" | "contact"

# Find decision makers
site:linkedin.com "target company" "VP" | "Director" | "Head of"
site:linkedin.com "target company" "IT Manager" | "System Administrator"

# LinkedIn search operators (within LinkedIn)
company:"Target Company" title:"Security Engineer"
company:"Target Company" school:"MIT"
company:"Target Company" connections:500+

# LinkedIn enumeration via Google
# Search pattern: "Name - Title at Company | LinkedIn"
site:linkedin.com/in "at target company"

Social Media OSINT

social-media-osint.sh
bash 
# Twitter/X Intelligence
# Search: from:@targetuser since:2020-01-01
# Search: @targetcompany OR #targetcompany
# Search: to:@targetuser  (replies to user)

# Twint - Twitter scraping (if still works)
twint -u username --timeline
twint -u username --followers
twint -s "target company" --email

# Instagram OSINT
# Tools: Instalooter, Instaloader
pip install instaloader
instaloader profile username
instaloader --login=yourusername profile targetuser

# Facebook Graph Search alternatives
# Use Facebook search with keywords
# Check public groups, events, check-ins

# Reddit OSINT
# User profile: reddit.com/user/username
# Search: author:username
# Tools: Reddit Investigator, Redective

# Social-Analyzer for multi-platform
social-analyzer --username target --websites "twitter,instagram,facebook,linkedin"

Google Account OSINT

google-osint.sh
bash 
# GHunt - investigate Google accounts
ghunt login  # First time setup
ghunt email target@gmail.com

# GHunt reveals:
# - Google ID
# - Profile photos
# - Google Maps reviews
# - Google Calendar (if public)
# - YouTube channel
# - Google Play reviews

# Holehe - check email registration
holehe email@target.com

# Holehe reveals which sites email is registered on:
# - Social media
# - Gaming platforms
# - Dating sites
# - Shopping sites
# - Various services

# Epieos (online)
# https://epieos.com - comprehensive email lookup
# Reveals: Google ID, social accounts, registered services

Image & Geolocation OSINT

image-osint.sh
bash 
# Extract EXIF metadata from images
exiftool image.jpg
exiftool -gps* image.jpg  # GPS data only
exiftool -a -u -g1 image.jpg  # All metadata

# Remove EXIF data
exiftool -all= image.jpg

# Reverse image search
# Google Images: images.google.com
# TinEye: tineye.com
# Yandex Images: yandex.com/images (often better results)
# Bing Visual Search

# Face recognition search (controversial)
# PimEyes: pimeyes.com
# FaceCheck: facecheck.id

# Geolocation from images
# Look for:
# - GPS coordinates in EXIF
# - Street signs, landmarks
# - Building architecture
# - Sun position/shadows
# - Language on signs
# - Vehicle license plates

# GeoGuessr skills apply!
# Tools: Google Earth, Google Street View
# SunCalc.org - calculate sun position from shadows

# Photo forensics
# FotoForensics: fotoforensics.com
# Image Edited: imageedited.com

People Search Engines

These services aggregate public records and are primarily useful for US targets.

people-search.txt
text 
# US People Search Engines
# Pipl - pipl.com (paid, most comprehensive)
# Spokeo - spokeo.com
# BeenVerified - beenverified.com
# WhitePages - whitepages.com
# TruePeopleSearch - truepeoplesearch.com (free)
# FastPeopleSearch - fastpeoplesearch.com (free)
# ThatsThem - thatsthem.com (free)

# Public Records
# Court records: PACER (federal), state court websites
# Property records: County assessor websites
# Business registrations: State Secretary of State
# SEC filings: sec.gov (public companies)
# Political donations: FEC.gov

# International variants
# UK: 192.com, ukphonebook.com
# Australia: whitepages.com.au
# Canada: canada411.ca

# Professional registrations
# State bar associations (lawyers)
# Medical board databases (doctors)
# Professional licensing boards

Employee Enumeration Workflow

employee-enum.sh
bash 
# Complete employee enumeration workflow

# Step 1: LinkedIn enumeration
crosslinked -f '{first}.{last}' "Target Company" > names.txt

# Step 2: Generate emails using discovered format
# If format is first.last@target.com:
cat names.txt | while read name; do
  first=$(echo $name | awk '{print tolower($1)}')
  last=$(echo $name | awk '{print tolower($2)}')
  echo "$first.$last@target.com"
done > emails.txt

# Step 3: Verify which emails exist
cat emails.txt | while read email; do
  holehe "$email" 2>/dev/null
done > verified.txt

# Step 4: Check for breaches
h8mail -t emails.txt -c config.ini

# Step 5: Social media enumeration
cat names.txt | while read name; do
  username=$(echo $name | tr ' ' '' | tr '[:upper:]' '[:lower:]')
  sherlock "$username" --print-found
done

# Step 6: Compile into org chart
# Map: Name -> Role -> Email -> Social accounts -> Potential targets

External Resources

OSINT Framework

Comprehensive collection of OSINT tools by category

Namechk

Visual username availability checker

PimEyes

Face recognition search engine

Ultimate OSINT Collection

Curated OSINT resource bookmark collection

IntelTechniques

Michael Bazzell's OSINT tools and resources

Awesome OSINT

Curated list of OSINT resources on GitHub

Related Topics

OSINT Overview

Infrastructure Intel

Social Engineering